Skip to main content

Republic Act No. 10173

The promulgation of Republic Act No. 10173, referred to as the Data Privacy Act of 2012 (DPA), aims to protect personal data in information and communications systems in both the government and the private sectors.

The law ensures that institutions or organizations processing personal data enact policies, and implement procedures that guarantee the security of personal data under their control, thereby upholding an individual’s data privacy rights. A personal information controller or personal information processor is directed to implement adequate measures to protect personal data against natural dangers such as loss or destruction, and human dangers such as unlawful access, fraudulent misuse, and malicious destruction or alteration.

The Data Privacy Office (DPO)

SPU Manila respects and values the privacy rights of data subjects—students, employees, clients, stakeholders and customers, and all personal data collected from these subjects are processed in adherence to the general principles of transparency, legitimate purpose, and proportionality.

In the conduct of collection of personal information, these seven (7) specific guidelines are hereby maintained, i.e., that the information will be:

  1. processed fairly and lawfully while meeting certain conditions;
  2. utilized for specific and lawful purposes;
  3. made sufficient, relevant, and not excessive;
  4. kept accurate and updated;
  5. maintained not longer than necessary;
  6. processed in accordance with an individual's rights; and
  7. provided with adequate safeguards

The DPA allows the further processing of personal data prior to or, in certain instances, subsequent to, the consent of the data subject. Thus, the recording, storage, updating, modification, retrieval, use, consolidation, and destruction of personal information may be made with or without the consent of the data subject. In all cases, however, the processing of personal data shall be made in such a manner as to ensure adequate safeguards for the rights of the data subjects.


In emergency and/or grave circumstances, specific to the processing of “Privileged Data”, the University President and/or the DPO is authorized to access the pertinent information of the data subject to immediately address the need of the moment guided by the general principles of transparency, legitimate purpose, and proportionality.

The following General Policies were agreed upon during the Kapihan session dated 14 November 2018:

  1. Shredding is the acceptable method of disposal of documents within the University.
  2. Employees’ Curriculum Vitae and Portfolios can be shredded with the Unit Head’s approval.
  3. Anything posted in the University website is for public use, e.g., Organizational Chart.
  4. Financial accounts of students, as verified by outside institutions for work purposes, are confidential in the Finance Office; the latter have to deal with student-concerned personally.
  5. For employee verification, Human Resource Services must be informed by the employee of this matter as regard bank loan/car/mobile/employment or similar purposes.
  6. Declaring SPU Manila as delivery address is permitted as long as the employee pays for the item upon delivery.
  7. Documents (sensitive and privileged) forwarded to another unit/office must be sealed to maintain confidentiality.

Data Being Protected in St. Paul University Manila

  • Personal Information – refers to any information, whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
  • Privileged Data – refers to information that constitutes privileged communication under the Rules of Court and other pertinent laws (e.g. marital privilege, attorney-client privilege, clergy-penitent privilege, doctor-patient privilege).
  • Public Data – refers to any information generated and intended to be made accessible to a general audience, posing little to no risk to the University and its affiliates (e.g. press releases, course information, and research publications). These data are handled with the least amount of control, accounting only for the prevention of unauthorized modification or destruction.
  • Sensitive Data – refers to information different from ordinary personal data, such as but not limited to an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical, or political affiliations; about an individual’s health, education, genetic or sexual life; pertaining to any proceeding or any offense committed or alleged to have been committed; issued by government agencies “peculiar” (unique) to an individual, such as social security number, licenses, tax returns. These require much stricter conditions of processing.